Page MenuHomeVyOS Platform

Lack of IKEv1 lifetime negotiation
Closed, ResolvedPublic

Description

As testing by Oleksandr Mamenko shows, StrongSWAN 5.x in VyOS 1.2.0 does not appear to be negotiating the IKEv1 lifetime. This results in problems with platforms that do attempt to negotiate it.

IKEv1 is supposed to support lifetime negotiation (RFC2407, page 13).

To the contrary, IKEv2 excludes lifetime negotiation completely and leaves the peers to rekey when they feel like it (with some measures to reduce the likelyhood of creating duplicate SAs, such as jittering). From RFC4306:

A difference between IKEv1 and IKEv2 is that in IKEv1 SA lifetimes
were negotiated. In IKEv2, each end of the SA is responsible for
enforcing its own lifetime policy on the SA and rekeying the SA when
necessary. If the two ends have different lifetime policies, the end
with the shorter lifetime will end up always being the one to request
the rekeying.

However, the details of the lifetime negotiation mechanism in RFC2407 are rather open to interpretation. In particular, "complete the negotiation but use a shorter lifetime than what was offered" is a valid choice (section 4.5.4). So, from users point of view, it may be impossible to tell lack of negotiation from technically valid behaviour, but we cannot rule out the chance that StrongSWAN is misapplying IKEv2 ideas to IKEv1.

I suppose our further course of action should be:

  1. Upgrade StrongSWAN to the latest version (5.6.5, ours is 5.3.4).
  2. If the problem is still reproducible, make IKE traffic dumps with null cipher to see what's going on, then either report to StrongSWAN maintainers or attempt to fix, or both.

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Bug (incorrect behavior)

Event Timeline

dmbaturin created this object with visibility "Public (No Login Required)".
syncer triaged this task as Normal priority.May 27 2018, 9:45 AM
syncer edited projects, added VyOS 1.2 Crux (VyOS 1.2.0-rc1); removed VyOS 1.2 Crux.
syncer edited subscribers, added: Active contributors, Maintainers; removed: Sentrium, dmbaturin.
syncer changed the task status from Open to Needs testing.Feb 8 2019, 12:00 AM
syncer reassigned this task from dmbaturin to zsdc.
syncer lowered the priority of this task from Normal to Low.
syncer added a subscriber: dmbaturin.

No one complained in a long time. ;)
If it re-appears, feel free to reopen. We also need to find a platform that knowingly does IKEv1 lifetime negotiation for testing this.

dmbaturin renamed this task from IKEv1 lifetime negotiation in VyOS 1.2.0 to Lack of IKEv1 lifetime negotiation.Sep 3 2021, 7:36 AM
dmbaturin set Is it a breaking change? to Perfectly compatible.
dmbaturin set Issue type to Bug (incorrect behavior).